Hardware Authenticator Binding: A Secure Alternative to Passkeys
Abstract
Fast Identity Online 2 (FIDO2) uses public-key authentication to address the weaknesses of password-based methods. FIDO2 assumes that credentials are device-bound and non-exportable for strong security. However, modern users increasingly expect to access their credentials across multiple devices for better usability. Passkeys allow either synchronized or device-bound credentials, but this introduces a trade-off between usability and security.
We propose a hardware authenticator binding (HAB) scheme that enables virtual synchronization of device-bound FIDO2 credentials, combining the benefits of both approaches. A user-selected, cloud-based HAB service manages authenticator registration, revocation, and recovery. To ensure security, the service employs decentralized key management, unlinkable binding certificates, and remote attestation using trusted execution environments. We implemented the HAB service using AMD SEV-SNP, leveraging virtual machine-level isolation for trusted attestation. Our security and performance evaluations show the feasibility of the HAB scheme.
